Smack (Linux security module)
   HOME

TheInfoList



OR:

Smack (full name: Simplified Mandatory Access Control Kernel) is a
Linux kernel The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel. It was originally authored in 1991 by Linus Torvalds for his i386-based PC, and it was soon adopted as the kernel for the GNU ope ...
security module that protects data and process interaction from malicious manipulation using a set of custom mandatory access control (MAC) rules, with simplicity as its main design goal. It has been officially merged since the Linux 2.6.25 release, it was the main access control mechanism for the MeeGo mobile Operating System. It is also used to
sandbox A sandbox is a sandpit, a wide, shallow playground construction to hold sand, often made of wood or plastic. Sandbox or Sand box may also refer to: Arts, entertainment, and media * Sandbox (band), a Canadian rock music group * Sandbox ( ...
HTML5 web applications in the
Tizen Tizen () is a Linux-based mobile operating system backed by the Linux Foundation, mainly developed and used primarily by Samsung Electronics. The project was originally conceived as an HTML5-based platform for mobile devices to succeed MeeGo. Sa ...
architecture, in the commercial Wind River Linux solutions for embedded device development, in Philips Digital TV products., and in Intel's Ostro OS for
IoT The Internet of things (IoT) describes physical objects (or groups of such objects) with sensors, processing ability, software and other technologies that connect and exchange data with other devices and systems over the Internet or other com ...
devices. Since 2016, Smack is required in all Automotive Grade Linux (AGL) implementations where it provides in association with other Linux facilities the base for the AGL security framework.


Design

Smack consists of three components: *A kernel module that is implemented as a
Linux Security Module Linux Security Modules (LSM) is a Software framework, framework allowing the Linux kernel to support without bias a variety of computer security models. LSM is licensed under the terms of the GNU General Public License and is a standard part of the ...
. It works best with file systems that support
extended attributes Extended file attributes are file system features that enable users to associate computer files with metadata not interpreted by the filesystem, whereas regular attributes have a purpose strictly defined by the filesystem (such as permissions or ...
. *A startup script that ensures that device files have the correct Smack attributes and loads the Smack configuration. *A set of patches to the GNU Core Utilities package to make it aware of Smack extended file attributes. A set of similar patches to Busybox were also created. SMACK does not require user-space support.


Criticism

Smack has been criticized for being written as a new LSM module instead of an
SELinux Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls (MAC). SELinux is a set of kernel modifications and user-space t ...
security policy which can provide equivalent functionality. Such SELinux policies have been proposed, but none had been demonstrated. Smack's author replied that it would not be practical due to SELinux's complicated configuration syntax and the philosophical difference between Smack and SELinux designs.


References


Further reading

* * * * * * * {{Linux kernel 2008 software Linux kernel features Linux security software